RFR: 8215788: Clarify JarInputStream Manifest access [v11]
Lance Andersen
lancea at openjdk.org
Tue Sep 20 18:08:26 UTC 2022
On Tue, 20 Sep 2022 17:53:27 GMT, Sean Mullan <mullan at openjdk.org> wrote:
> Now that this API has a section about signed JARs, I think it is very important to include the following sentences which are copied from `JarFile`:
>
> "Please note that the verification process does not include validating the signer's certificate. A caller should inspect the return value of [JarEntry.getCodeSigners()](https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/util/jar/JarEntry.html#getCodeSigners()) to further determine if the signature can be trusted."
Add the note per your request
-------------
PR: https://git.openjdk.org/jdk/pull/10045
More information about the security-dev
mailing list